04-26-2016 12:02 AM - edited 03-12-2019 05:59 AM
Hi Everyone,
Just a bit of background
As a lot of us know, the 5506 has a built-in Management for its firepower module using ASDM.
However, the admin has the option to use an external FirePOWER managemnt center if so desired.
One of our clients, has a 5506 where its firepower module and all related config is done through ASDM.
However, in the long run, we setup an external firepower mgmt. Center server to manage the SFR software module of 5506
However, even though I added/configured the manager IP, it wouldn't add to the FMC.
In the long run, I had to re-flash the ASA SFR and then I was able to add it to the FMC.
My question is, is there a quicker way in w/c I wont need to re-flash/re-image it? Priming the module takes a looooooooooooooooong time, especially when you are in a higher patch. If it was pre-managed initially through ASDM, it looks like simply adding a manager IP wont do it
Is there like a command to say "hey ASA, disable your built-in ASDM management for the firepower module, i need the module to be managed on an external FMC" haha :D
HOpe someone can help
04-27-2016 02:02 AM
Hi,
I believe there is no problem adding device to firepower management center even if it is managed by ASDM earlier without any reimage and it works fine without that as well.
It might be some other issue while trying to register the device because of which it failed but reimage is not required for adding it to FMC.
Thanks,
Ankita
04-27-2016 10:19 PM
Yeah, documentation also said that I only need to configure a manager IP But that's the case on what happened, i tried everything i could before re-imaging
But as I said, this is what happened
04-29-2016 03:07 AM
Hi LJ,
Hope you're doing well.
As soon as you add the FMC on SFR module then SFR clearly says to ASDM "Listen up bro, your duty is over & I got this amazing FMC to take care of me". Yeah, it does ;)
If it doesn't work then mostly it's the issue with communication between FMC and SFR. Check the status of sftunnel.
sftunnel service status is set as 'waiting' while managing the SFR from ASDM. It should be up and running when the same is managed by FMC.
-> Verify if sftunnel.conf exist under /etc/sf/
-> Verify if it's running: pmtool status | grep sftunnel
There can be other issues as well like port 8305 blocking or ssl certificate revoke but above is most common issue.
Regards,
Dv
05-18-2016 02:10 PM
kind of off-topic, but how do you manage this with the license. Did you move the license with help of Cisco. Cause you first activated the On-BOX controle/protect license right? (i'm in a similar situation and have some doubts to move to the firesight management instead off the on-box.
05-22-2016 06:44 AM
We used the 45-day free trial thing when the server wasnt available yet
Also dont worry about that, Cisco will help you regenerate the license if needed
Open a TAC case for that one
08-09-2017 06:12 PM
Hi there,
We need to move from ASDM do FMC in a sinlgle ASA + SFR box environment.
Do you know that the running SFR config will be preserved after the change from ASDM to FMC, or should we export the policies (acp, sys policies) and import them in FMC after we finish the SFR and FMC association?
TIA,
Hugo
08-10-2017 12:50 AM
When you move from local management (ASDM) to FMC management it does not preserve the old policies. Only the bootstrap configuration (IP address, gateway, hostname etc.) are preserved.
You will need to rebuild the policies on FMC and then deploy them to the ASA FirePOWER module once you have registered it.
You cannot export from ASDM as that isn't supported as a means of importing to FMC.
08-10-2017 04:10 AM
Mr. Rhoads,
Thanks a lot for your answer.
It's not the answer that would make me happy..
Regards,
Hugo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide